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Welcome to QSC 2018 anda Quick Introduction 


Who am I?: Some of you 
not, I am currently the D 
ImagineX Consulting. 


eady from my past life with Qualys. If 
ion Security and DevSecOps for 


Previously, I was the Dirt 
Qualys for 4+ years. 


I am also an appsec and 
but also security resea 


I bring to you decades ( 
services, university/hig 
and businesses, both public i l feel grants me the ability to see 
and lead information securify g and advisory with a unique, complete, 
and widely encompassing approaen in all aspects of cybersecurity. 
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Frank Catucci, CISSP 


e Location: Newberry, SC 
e C: 803-944-0400 
e E: frank.catucci@imaginexconsulting.com 
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Quick Profile 


Professional Profile 


Frank previously served as the Director of Web Application Security, Product 
Management and Subject Matter Expert for Qualys. Before that he held a variety of 
roles and consulting engagements across many industries. 


Frank has over 20 years of experience in the Information Technology and Information 
Security field that spans Fortune 500 enterprise, financial services, university / higher 
education, government, health care, legal, start-up, public and private industries. 


Frank is a contributor to, and current chapter president, of his local Open Web 
Application Security Project (OWASP) chapter. Frank also conducts security research, 
bug hunting, and often speaks at information security conferences and events. 


Personal Mantra 


“If opportunity doesn’t knock, build a door,” 


-Milton Berle 
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Objective and Outline 


Objective and what I am here to discuss with you today: Repeatedly now, 
ImagineX Consulting has been engaged to transform existing application security 
programs and one in particular for a very large financial tech company, from a 
competitive product, to Qualys WAS. 


Today I will illustrate how Qualys WAS' scale, automation and coverage enabled 
this client to overcome traditional application scanning constraints and transition 
to a successful new appsec program that leveraged manual testing services and 
reporting built around the Qualys Cloud Platform WAS Solution. 


We will dive in and look at exactly how this combined approach can be used to 
increase coverage, scale and effectiveness, and to decrease application security 
risk. 
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Application Security Challenges 


This organization's application security challenges were not unigue. But, that 
does not make them any less important! 


e Internal staff were already at their limits with time, skill, priority and focus. 
* Apps are dynamic and ever changing; their coverage was not. 


* Internal scanning is an imperative capability. This was difficult with other 
solutions. 


* Automated scanning cannot, and never will be able to, find all vulnerabilities. 
Manual testing is required. 


* Spending far too much money for guestionable results.* 

* Scale and automation. 

* Reporting and visibility.* 

* Actionable and accurate data relayed to development groups. 
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By delivering effective transformation İrom competing product with little real 


How We Address These Challenges 


insight and control, to Oualys WAS with ImagineX Professional Services! 


© Qualys. Enterprise 


Web Application Scanning v 


Dashboard WebApplications Scans 


Dashboard 


Tue 30 Oct 2018 
183 total scanned web apps 
0 with Malware Monitoring 


==: MOST VULNERABLE WEB APPLICATIONS 


Web Application Name 


==: YOUR LAST SCANS 


Scan 
Scan Name Date 


30 Oct 
2018 


30 Oct 
2018 


30 Oct 
2018 
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Detections 


Status 


Running 


Reports 


View All 


Severity 


Configuration KnowledgeBase 


All Vulnerabilities Severity Severity 


2.38K 50 681 


Last Scan Date Total Vulnerabilities High 
04 Oct 2018 35 10 
27 Sep 2018 47 8 
16 Oct 2018 25 2 
28 Sep 2018 5 2 


==: YOUR UPCOMING SCANS 


No upcoming scans. 


Med 


Pv] Help | Frank Catucci w | Logout 


MM sn GE 


1.65K O detections Add Web Application 
ViewAl ("y CATALOG View Al 
Low Severity Total 
24 585 
585 New 
0 Rogue 
38 G 
0 Approved 
0 Ignored 
15 0 In Subscription 
2 
ViewAl ZE: LATEST REPORTS View All 
Scan Report 


30 Oct 2018 


About | Terms of Use | Support 
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A single report of ale A one stop e 

your Web inventory of all 

Applications your onboarded 
Web 


Aggregated findings Applications 
across some or all 
of your applicationse Filter results to e 


to find areas of pinpoint 
weakness desired 
applications 


Hover over findings, 

vulnerabilities or * Quick Actions 

applications to get to perform 

counts many tasks via e 
drop down 

Highly menu 

Customizable via 

filters and tags e View Reports e 
via one click 

List of most 

vulnerable Web 

Applications 


Monitor all 
your 
vulnerabiliti 
es in one 
place 


View, 
ignore, 
patch or 
retest via 
drop down 
menu 


Filter by 
Severity, or 
age 


Utilize 
tagging for 
granular 
reporting 


[4| 


How ImagineX and Oualys Work Together 


ImagineX Provides and Delivers 
* Qualys expertise. Our Qualys consultants consist of 
former Qualys employees and customers. Together 
we have over three decades of Qualys expertise in all 
of the modules and diverse industries 


* Acomprehensive review of WAS program goals — 
what are you trying to achieve and how? 


* Configuration review of Web Apps and Option Profiles 
* Scan diagnostics 
e Best Practices 


* Review of any pain points or difficulties you may be 
having 


* Future goals and plans and how to best achieve them 
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Qualys Provides and Delivers — Best in Breed DAST 
* Robust API 


e Scalable and automated solutions that provide accurate 
and actionable data and results 


* High value-to-spend ratio solutions 
e Low rate of false positives and false negatives 


* Insight into dynamically changing applications AND 
perimeters 


* Support of modern architecture, languages and app 
support including CMS systems 


e DevSecOps capable out of the box, especially with plugins 
and extensions 


* Allin one comprehensive SaaS security solution with 
multifaceted visibility 
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What This Particular Case Study and Project Looked Like 


The plan and understanding: 


* Desire for the client's security experts to demonstrate that Qualys can 
be used as the primary web app scanner, with the ability to cover all 
applications that are currently covered by the competitor; 


* İnternal Scanning appliances would be deployed on an internal 
network (for the first time) and scans against non-production test 
applications will be completed. Supplemented with expert validation 
of findings to eliminate false positives. 


e Documentation delivered to support integrating the Qualys web 
application vulnerability scanning into client's operations. 
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The Approach 


Our phased approach: 


Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 


Discovery & Configuration Manual Assessments Internal Appliances Coverage Monitoring Roll Out Readiness 


Duration: 4.5 Weeks Duration: 2 Weeks Duration: By $date$ Duration: 4 Weeks Duration: 3 Week 
Scope Scope: Scope: Scope: Scope: 
e Onboard 250 external » Conduct 3 pentests to validate » Deploy Qualys virtual scanner e Complete Internal scanning e Produce operating procedures 
applications into Qualys WAS capabilities appliances onto internal pilot e Documentation 
e Authentication records as o App network. e Scan and compare the e Run Books to allow for a 
necessary o App2 e Review scanning architecture following internal applications; repeatable and detailed 
e Whitelists, blacklists, REGEX o App3 e Configure Qualys WAS to o Portal deployment and continuous 
or content adjustments as newly deployed scanner o App3 program 
necessary appliances o App4 
e False positive review o App5 
e Regular scan schedules Note: Virtual scanner appliances 
e Scan and application reporting were deployed to DMZ and DEV 
VLANS 
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Key Notable Project Metrics 


The numbers: 


210 web applications onboarded into the Qualys Web Application 
Scanning Product 


37 separate authentication records created 
5 option profiles created 

2,374 total vulnerabilities detected 

182 high-severity vulnerabilities detected 
772 medium-severity vulnerabilities detected 
1,420 low-severity vulnerabilities detected 
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More numbers: 


Comparison Metrics 


Production App - Sample 1 | competitor 17 0 3 5 8 
Qualys WAS 25 8 3 12 
Production App - Sample 2 | Competitor 4 0 2 2 
Oualys WAS 68 17 15 35 
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Web Application Scanning Maturity Model 


Maturity Model: 


Lvl 1 - Reactive Lvl 2 - Repeatable 


Lvl 4 - Integrated Lvl 5 - Intelligent 


PROGRAM MANUAL MOBILIZED AUFOMATED INTEGRATED PREDICTIVE 
OPERATIONS EXPERIMENTAL SECURE NABLEB INTEROPERABLE OPTIMIZED 
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Recommendations for next steps? 


Shift Left: 


e Breaches average cost is $4 million 
e Good Security Hygiene — Preventative 


Reduce Unplanned Work 


e Unplanned work affects the entire 


organization 


e Avoid business-related project delays 


e Audit Fees are Costly 
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TIME IS MONEY 
Time to Detect and Time to Respond are Business Metrics 


$4.0M " 


Average Cost of Breach 


99 

Days 

In Americas 

Average Time to Detect 


TIME TO DETECT 


Relative cost to fix, based on time of 
detection 


30%, 

25x- 

20x 

15x 

10% 

H 
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Source Nonong institute of Standards ond Technology 
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Modern Application Security 


We will leverage modern 
automation tooling and 
DevSecOps processes to 
deliver value efficiently Enterprise 
DevSecOps 
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ImagineX Helps With AppSec Health Checks 


Application Security Health Checks description: 


* Web application security assessment focused on discovery and 
identification of web assets and their associated highest risk 
vulnerabilities, including the OWASP Top Ten. 


* Effective way to identify high-risk web application vulnerabilities that 
would be easily identified by attackers. 

* Provide clients a cost-effective way to quickly check security posture 
of applications. 

Key Strengths 

* Quick. High risk focus. Ideal for tight schedules or budgets. Easily 
incorporates with Qualys WAS to expanded upon Application Security 
capabilities. 
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Comprehensive AppSec Assessments 


Comprehensive Application Security Assessments description: 


* Service also commonly known as Application Pentesting. 


* A complete web application security assessment identifying 
vulnerabilities such as the OWASP Top Ten, business logic flaws and 
other web application security weaknesses that may not or cannot be 
detected with an automated scanner. 


* A combination of automated discovery and vulnerability scanning 
with experienced professionals manually testing to provide the highest 
level of security assurance and advanced vulnerability identification. 


Key Strengths 
* Eliminate the need to hire AppSec specialists, or subsidize the 
resources you do have. Leverage expert technical knowledge and 
expertise. 
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Managed AppSec Qualys WAS Scanning Services 
Managed Application Security Scanning description: 


e Continuously discover and monitor web applications for security 
vulnerabilities utilizing Qualys WAS. 


* Recurring automated web application vulnerability scanning and 
confirmation of findings. 


e Supplemented with expert validation of findings to eliminate false 
positives. 
Key Strengths 


* Agile, Quick, Expert verification lowers remediation efforts. Ensure 
resources are spending time addressing vulnerabilities instead of 
managing a testing platform. 
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: 1 i whose goal is to:help our clients fk Je 
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